On 2015-01-08, 03:36 GMT, Richard Shaw wrote:
In the specific case I ran into one of the package suites I've been working on technically bundles a modified copy of xmlrpcpp. However, it is quite modified, upstream is dead, it's not already in Fedora, and the author I'm working with only uses it for communication between his suite of programs and has no intention of offering it as a separate library.
Hi,
I think in the end it is not that much matter of definition as where the buck stops. I believe there are these questions which need to be answered:
1) Will you be able to identify a security concern? Way more simple for the independent well-known library, then for some directory down in your project. Even more difficult for hundreds of bundled libraries scattered all over the system (the famous Debian libz issue). 2) Who will fix the issue? Because if there is not well maintained upstream for the library, or if the maintainer of your upstream is not willing or able to fix any issue which comes her way, then there is only person who is responsible for fixing any such issue, you.
Best,
Matěj